2025-10-11 GnuCash IRC logs
00:16:46 *** Aussie_matt has joined #gnucash
00:16:46 *** warlord has quit IRC
00:22:50 *** gncbot has joined #gnucash
01:29:26 *** mechtilde_ has joined #gnucash
01:39:54 *** chris has joined #gnucash
01:39:54 *** ChanServ sets mode: +v chris
01:42:18 *** fell has quit IRC
01:43:36 *** fell has joined #gnucash
01:43:36 *** ChanServ sets mode: +o fell
02:08:48 *** mechtilde_ has joined #gnucash
02:14:34 *** gjanssens has joined #gnucash
02:14:34 *** ChanServ sets mode: +o gjanssens
02:55:54 *** chris has quit IRC
04:07:37 *** chris has joined #gnucash
04:07:37 *** ChanServ sets mode: +v chris
05:29:38 *** chris has quit IRC
07:56:27 *** chris has joined #gnucash
07:56:27 *** ChanServ sets mode: +v chris
07:58:24 <chris> lol... i10n bug. I was experimenting with LANG_xx_XX...
07:58:50 <chris> IIRC to reproduce: launch in 1 language, open SX editor, quit, launch in 2nd language; SX editor tab retains 1st language
08:01:06 <chris> yups
08:01:17 <chris> stored in .gcm PageName
08:09:39 *** ChanServ sets mode: +qo warlord warlord
08:09:41 *** warlord sets mode: +o gncbot
08:43:27 *** chris has quit IRC
09:47:21 *** xavier has joined #gnucash
09:55:41 *** chris has joined #gnucash
09:55:41 *** ChanServ sets mode: +v chris
09:55:41 *** gncbot sets mode: +o chris
10:37:58 *** Aussie_matt has quit IRC
10:45:42 *** chris has quit IRC
14:51:04 <jralls> warlord, so about extracting the BZ database. Can you arrange for me to access it?
15:18:13 <warlord> jralls, I was thinking -- could we go edit the user database to maybe figure out how the bots are getting in?
15:26:54 *** sacdrj has joined #gnucash
15:46:29 *** sacdrj has quit IRC
15:50:14 *** sacdrj has joined #gnucash
15:52:20 *** mechtilde_ has quit IRC
15:53:55 <jralls> warlord, there are hundreds of users. Doing anything through the CGI scripts, that AFAICR only work on one at a time, would take forever. Maybe if you could do a reversible update query in the DB that makes all but yours and mine invalid--look at Wm Tarr's for a possible way--we could turn it back on and see what happens. You'll want to enable logging on apache that captures every byte of every request so we can dissect i
15:53:55 <jralls> t if they get in anyway.
15:56:40 *** sacdrj has quit IRC
15:56:44 *** sacdrj has joined #gnucash
16:01:17 *** sacdrj has quit IRC
16:11:08 *** sacdrj has joined #gnucash
16:15:39 *** sacdrj has quit IRC
16:29:45 *** sacdrj has joined #gnucash
16:41:43 <warlord> jralls, looks like there are 7000ish users in the DB. There was one recent user with a nonsense email address. I disabled that one. And I plan to turn off user creation.
16:43:08 <warlord> (in fact, it was the most recently added user)
16:43:35 <warlord> Email: ywvjznkuiivqntppje@fxavaj.com
16:48:36 <warlord> Done. Nobody can sign up now.
16:56:00 *** xavier has quit IRC
16:59:56 <warlord> I guess next we go through the existing (7000) accounts and try to weed out the fake ones, or ones that don't do anything?
17:02:33 <jralls> We can, but it will take a long time unless you do it with a database query.
17:03:18 <jralls> When did the fake user add itself? Was it after you turned on requiring approval?
17:09:07 *** gjanssens has quit IRC
17:32:40 *** sacdrj has quit IRC
17:34:44 *** sacdrj has joined #gnucash
18:00:36 <Simon> Add extra logging whenever someone auths?
18:00:58 <Simon> Delete the sessions so that everyone has to re-auth
18:15:36 <warlord> jralls, I'm not sure how to tell, honestly. There is a "last seen date", but not a "created at"
18:16:18 <warlord> Simon, I'd rather not hack the perl code, but I don't know of a way to turn that on by a flag.
18:16:51 <warlord> I can make it so everyone has to re-auth every session, but I don't know how to delete existing sessions.
18:20:16 <warlord> Login status is stored in a cookie -- I could upset users by requiring them to login every time they started a new browser session, but I don't think that would necessarily affect the bots.
18:22:14 *** sacdrj has quit IRC
18:53:18 *** sacdrj has joined #gnucash
19:12:51 *** sacdrj has quit IRC
19:13:04 <jralls> warlord, it would be reasonable to set the cookie lifetime to 24 hours. That likely would annoy only chris and me, it seems unlikely anyone else is continuously logged in.
19:23:28 <warlord> let me see if I can figur eout how to get BZ to do that.
19:24:48 <warlord> Okay, I set "rememberlogin" to "off", but I don't think it necessarily sets a cookie lifetime per se.
19:24:56 <jralls> You should be able to get account creation from the audit_log table: select user_id, at_time from audit_log where class = "Bugzilla::User" and field = "login_name" order by userid;
19:26:55 <jralls> According to https://bugzilla.readthedocs.io/en/latest/administering/parameters.html it makes cookies expire when the session ends.
19:27:32 *** sacdrj has joined #gnucash
19:29:17 <jralls> Some more detail about BZ auth: https://schema.bugzilla.org/?action=single&version=5.2&view=View+schema#notes-authentication
19:32:49 *** sacdrj has quit IRC
19:32:53 *** sacdrj has joined #gnucash
19:37:24 <warlord> I removed some cookies from some recent users (including this weird one I pointed out earlier). I've changed the cookies to expire with the browser session.
19:37:49 <warlord> So we'll see how it goes.
19:42:10 <jralls> I'd delete everything from logincookies. Make everybody start over.
19:45:34 <jralls> Oh, there's a profiles_activity table change info so you can select * from profiles_activity where userid = (select userid from profiles where login_name='ywvjznkuiivqntppje@fxavaj.com') to find out when the fake user account was created.
19:54:42 <jralls> Do you have the values of the logincookies entries you deleted? The IP address of the request that you posted 2 weeks ago was 185.106.28.187. If your hypothesis about ywvjznkui... is right the ipaddr field should match.
20:21:01 *** sacdrj has quit IRC
20:35:36 *** sacdrj has joined #gnucash
20:36:06 *** sacdrj has quit IRC
21:20:09 *** gncbot has joined #gnucash
21:20:39 *** aj has joined #gnucash
21:20:39 *** ChanServ sets mode: +v aj
21:21:18 *** fell has joined #gnucash
21:21:18 *** ChanServ sets mode: +o fell
21:21:36 *** zie has joined #gnucash
21:21:36 *** ChanServ sets mode: +v zie
21:22:22 *** skyenet has joined #gnucash
21:22:22 *** ChanServ sets mode: +v skyenet
21:36:08 *** sacdrj has joined #gnucash
21:59:30 <warlord> jralls, the logincookie IPAddr was NULL
22:00:10 <warlord> Indeed, more than half of them are NULL
22:01:28 <warlord> That query resulted in:
22:01:29 <warlord> +-------+--------+------+---------------------+---------+----------+---------------------+
22:01:29 <warlord> | id | userid | who | profiles_when | fieldid | oldvalue | newvalue |
22:01:29 <warlord> +-------+--------+------+---------------------+---------+----------+---------------------+
22:01:29 <warlord> | 12125 | 7026 | 7026 | 2025-09-23 17:32:19 | 33 | NULL | 2025-09-23 17:32:19 |
22:01:30 <warlord> +-------+--------+------+---------------------+---------+----------+---------------------+
22:01:44 <warlord> So looks like it was created on 9-23.
22:03:20 <warlord> I just deleted all 25 entries in logincookies where the ipaddr was null;
22:03:37 <warlord> There are 20 cookies left.
22:22:50 *** sacdrj has quit IRC
22:36:48 *** sacdrj has joined #gnucash
23:10:00 *** jonakeys has quit IRC
23:10:07 *** jonakeys has joined #gnucash
23:37:08 *** sacdrj has quit IRC